From 177887252ec18bd47373fb5c78b487dc788bea68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Wed, 11 Dec 2024 20:31:53 +0700 Subject: [PATCH] git action added to bypass PRs --- .github/workflows/forceMergePRBypassAudit.yml | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/forceMergePRBypassAudit.yml diff --git a/.github/workflows/forceMergePRBypassAudit.yml b/.github/workflows/forceMergePRBypassAudit.yml new file mode 100644 index 000000000..00109d18c --- /dev/null +++ b/.github/workflows/forceMergePRBypassAudit.yml @@ -0,0 +1,82 @@ +name: Force-Merge PR (Bypass Audit Requirement) +# - This git action may only be used in exceptional cases +# - it can only be executed by the CTO or the Information Security Manager/Architect +# - a valid reason must be provided in order to force-merge a given PR + +on: + workflow_dispatch: + inputs: + pr_number: + description: 'PR number to bypass' + required: true + justification: + description: 'Reason for bypass' + required: true + +jobs: + force-merge-pr-bypass-audit: + runs-on: ubuntu-latest + steps: + - name: Fetch Information Security Team Members + env: + GH_PAT: ${{ secrets.GIT_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + ##### Unset default GITHUB_TOKEN (insufficient permissions) + unset GITHUB_TOKEN + + ##### Authenticate with Personal Access Token + echo $GH_PAT | gh auth login --with-token + + ##### Fetch team members of 'informationsecuritymanager' team + ORG_NAME="lifinance" + TEAM_SLUG="informationsecuritymanager" + + TEAM_MEMBERS=$(gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "/orgs/$ORG_NAME/teams/$TEAM_SLUG/members" | jq -r '.[].login') + + if [[ -z "$TEAM_MEMBERS" ]]; then + echo -e "\033[31mERROR: Could not retrieve team members of $TEAM_SLUG.\033[0m" + exit 1 + fi + + echo "The following users are members of $TEAM_SLUG: $TEAM_MEMBERS" + echo "$TEAM_MEMBERS" > team_members.txt + + - name: Verify Actor's Team Membership + run: | + ##### Check if the actor is in the team members list + ACTOR="${{ github.actor }}" + TEAM_MEMBERS=$(cat team_members.txt) + + if echo "$TEAM_MEMBERS" | grep -q "^$ACTOR$"; then + echo -e "\033[32m$ACTOR is authorized to approve bypasses.\033[0m" + echo "CONTINUE=true" >> "$GITHUB_ENV" + else + echo -e "\033[31mERROR: $ACTOR is NOT authorized to approve bypasses\033[0m" + exit 1 + fi + + - name: Log Justification + if: env.CONTINUE == 'true' + run: | + echo "Bypass approved for PR #${{ github.event.inputs.pr_number }} by $ACTOR." + echo "Justification: ${{ github.event.inputs.justification }}" + + - name: Merge the PR + uses: actions/github-script@v7.0.1 + if: env.CONTINUE == 'true' + with: + script: | + const pr = parseInt(core.getInput('pr_number')); + console.log(`Merging PR ${pr} now`) + + const { context } = github; + await github.rest.pulls.merge({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: pr, + merge_method: "squash" + });